search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
torture-krb5: add TGS-REQ testing to krb5.kdc.canon testsuite
[Samba.git] / source4 / torture / krb5 / kdc-canon.c
blob408e3564010e48078bb71007ca3cfe3c75ba61cd
1 /*
2 Unix SMB/CIFS implementation.
3
4 Validate the krb5 pac generation routines
5
6 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2015
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "system/kerberos.h"
25 #include "torture/smbtorture.h"
26 #include "torture/krb5/proto.h"
27 #include "auth/credentials/credentials.h"
28 #include "lib/cmdline/popt_common.h"
29 #include "source4/auth/kerberos/kerberos.h"
30 #include "source4/auth/kerberos/kerberos_util.h"
31 #include "lib/util/util_net.h"
32
33 #define TEST_CANONICALIZE 0x0000001
34 #define TEST_ENTERPRISE 0x0000002
35 #define TEST_UPPER_REALM 0x0000004
36 #define TEST_UPPER_USERNAME 0x0000008
37 #define TEST_NETBIOS_REALM 0x0000010
38 #define TEST_WIN2K 0x0000020
39 #define TEST_UPN 0x0000040
40 #define TEST_ALL 0x000007F
41
42 struct test_data {
43 const char *test_name;
44 struct smb_krb5_context *smb_krb5_context;
45 const char *realm;
46 const char *real_realm;
47 const char *real_domain;
48 const char *username;
49 const char *real_username;
50 bool canonicalize;
51 bool enterprise;
52 bool upper_realm;
53 bool upper_username;
54 bool netbios_realm;
55 bool win2k;
56 bool upn;
57 bool other_upn_suffix;
58 };
59
60 enum test_stage {
61 TEST_AS_REQ = 0,
62 TEST_SELF_TRUST_TGS_REQ,
63 TEST_TGS_REQ,
64 TEST_TGS_REQ_KRBTGT,
65 TEST_DONE
66 };
67
68 struct torture_krb5_context {
69 struct torture_context *tctx;
70 struct addrinfo *server;
71 struct test_data *test_data;
72 int packet_count;
73 enum test_stage test_stage;
74 AS_REQ as_req;
75 AS_REP as_rep;
76 TGS_REQ tgs_req;
77 TGS_REP tgs_rep;
78 };
79
80
81 /*
82 * Confirm that the outgoing packet meets certain expectations. This
83 * should be extended to further assert the correct and expected
84 * behaviour of the krb5 libs, so we know what we are sending to the
85 * server.
86 *
87 * Additionally, this CHANGES the request to remove the canonicalize
88 * flag automatically added by the krb5 libs when an enterprise
89 * principal is used, so we can test what the server does in this
90 * combination.
91 *
92 */
93
94 static bool torture_krb5_pre_send_as_req_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, size_t used, krb5_data *modified_send_buf)
95 {
96 krb5_error_code k5ret;
97 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
98 torture_assert_int_equal(test_context->tctx, test_context->as_req.pvno, 5, "Got wrong as_req->pvno");
99 if (test_context->test_data->canonicalize || test_context->test_data->enterprise) {
100 torture_assert(test_context->tctx, test_context->as_req.req_body.kdc_options.canonicalize, "krb5 libs did not set canonicalize!");
101 } else {
102 torture_assert_int_equal(test_context->tctx, test_context->as_req.req_body.kdc_options.canonicalize, false, "krb5 libs unexpectedly set canonicalize!");
103 }
104
105 if (test_context->test_data->enterprise) {
106 torture_assert_int_equal(test_context->tctx, test_context->as_req.req_body.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, "krb5 libs did not pass principal as enterprise!");
107 } else {
108 torture_assert_int_equal(test_context->tctx, test_context->as_req.req_body.cname->name_type, KRB5_NT_PRINCIPAL, "krb5 libs unexpectedly set principal as enterprise!");
109 }
110
111 /* Force off canonicalize that was forced on by the krb5 libs */
112 if (test_context->test_data->canonicalize == false && test_context->test_data->enterprise) {
113 test_context->as_req.req_body.kdc_options.canonicalize = false;
114 }
115
116 ASN1_MALLOC_ENCODE(AS_REQ, modified_send_buf->data, modified_send_buf->length,
117 &test_context->as_req, &used, k5ret);
118 torture_assert_int_equal(test_context->tctx,
119 k5ret, 0,
120 "encode_AS_REQ failed");
121 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "re-encode length mismatch");
122 return true;
123 }
124
125 static bool torture_krb5_pre_send_self_trust_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, size_t used, krb5_data *modified_send_buf)
126 {
127 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
128 torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno");
129 torture_assert_int_equal(test_context->tctx, test_context->as_req.req_body.kdc_options.canonicalize, false, "krb5 libs unexpectedly set canonicalize!");
130
131
132 torture_assert_str_equal(test_context->tctx,
133 test_context->tgs_req.req_body.realm,
134 test_context->test_data->real_realm,
135 "Mismatch in realm between request and expected request");
136
137 torture_assert_int_equal(test_context->tctx,
138 test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
139 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
140 torture_assert_int_equal(test_context->tctx,
141 test_context->tgs_req.req_body.sname->name_string.len, 2,
142 "Mismatch in name between request and expected request, expected krbtgt/realm");
143 torture_assert_str_equal(test_context->tctx,
144 test_context->tgs_req.req_body.sname->name_string.val[0], "krbtgt",
145 "Mismatch in name between request and expected request, expected krbtgt");
146 torture_assert_str_equal(test_context->tctx,
147 test_context->tgs_req.req_body.sname->name_string.val[1], test_context->test_data->realm,
148 "Mismatch in realm part of cross-realm request principal between request and expected request");
149
150 *modified_send_buf = *send_buf;
151
152 return true;
153 }
154
155 static bool torture_krb5_pre_send_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, size_t used, krb5_data *modified_send_buf)
156 {
157 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
158 torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno");
159 torture_assert_int_equal(test_context->tctx, test_context->as_req.req_body.kdc_options.canonicalize, false, "krb5 libs unexpectedly set canonicalize!");
160
161 if (test_context->test_data->enterprise) {
162 torture_assert_int_equal(test_context->tctx,
163 test_context->tgs_req.req_body.sname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL,
164 "Mismatch in name type between request and expected request, expected KRB5_NT_ENTERPRISE_PRINCIPAL");
165 torture_assert_str_equal(test_context->tctx,
166 test_context->tgs_req.req_body.realm, test_context->test_data->real_realm,
167 "Mismatch in realm between request and expected request");
168
169 } else {
170 torture_assert_int_equal(test_context->tctx,
171 test_context->tgs_req.req_body.sname->name_type, KRB5_NT_PRINCIPAL,
172 "Mismatch in name type between request and expected request, expected KRB5_NT_PRINCIPAL");
173 torture_assert_str_equal(test_context->tctx,
174 test_context->tgs_req.req_body.realm, test_context->test_data->realm,
175 "Mismatch in realm between request and expected request");
176
177 }
178 *modified_send_buf = *send_buf;
179
180 return true;
181 }
182
183 static bool torture_krb5_pre_send_tgs_req_krbtgt_test(struct torture_krb5_context *test_context, const krb5_data *send_buf, size_t used, krb5_data *modified_send_buf)
184 {
185 torture_assert_int_equal(test_context->tctx, used, send_buf->length, "length mismatch");
186 torture_assert_int_equal(test_context->tctx, test_context->tgs_req.pvno, 5, "Got wrong as_req->pvno");
187 torture_assert_int_equal(test_context->tctx, test_context->as_req.req_body.kdc_options.canonicalize, false, "krb5 libs unexpectedly set canonicalize!");
188
189 if (test_context->test_data->canonicalize) {
190 torture_assert_str_equal(test_context->tctx,
191 test_context->tgs_req.req_body.realm,
192 test_context->test_data->real_realm,
193 "Mismatch in realm between request and expected request");
194 } else {
195 torture_assert_str_equal(test_context->tctx,
196 test_context->tgs_req.req_body.realm,
197 test_context->test_data->realm,
198 "Mismatch in realm between request and expected request");
199 }
200
201 *modified_send_buf = *send_buf;
202
203 return true;
204 }
205
206 /*
207 * Confirm that the incoming packet from the KDC meets certain
208 * expectations. This uses a packet count to work out what test we
209 * are in, and where in the test we are, so we can assert on the
210 * expected reply packets from the KDC.
211 *
212 */
213
214 static bool torture_krb5_post_recv_as_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
215 {
216 KRB_ERROR error;
217 size_t used;
218 if (test_context->packet_count == 0) {
219 torture_assert_int_equal(test_context->tctx,
220 decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used), 0,
221 "decode_AS_REP failed");
222 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
223 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
224 if (test_context->test_data->netbios_realm && test_context->test_data->upn) {
225 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
226 "Got wrong error.error_code");
227 } else {
228 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_PREAUTH_REQUIRED - KRB5KDC_ERR_NONE,
229 "Got wrong error.error_code");
230 }
231 free_KRB_ERROR(&error);
232 } else if ((decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0)
233 && (test_context->packet_count == 1)) {
234 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
235 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
236 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KRB_ERR_RESPONSE_TOO_BIG - KRB5KDC_ERR_NONE,
237 "Got wrong error.error_code");
238 free_KRB_ERROR(&error);
239 } else {
240 torture_assert_int_equal(test_context->tctx,
241 decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
242 "decode_AS_REP failed");
243 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
244 torture_assert_int_equal(test_context->tctx,
245 test_context->as_rep.pvno, 5,
246 "Got wrong as_rep->pvno");
247 torture_assert_int_equal(test_context->tctx,
248 test_context->as_rep.ticket.tkt_vno, 5,
249 "Got wrong as_rep->ticket.tkt_vno");
250 torture_assert(test_context->tctx,
251 test_context->as_rep.ticket.enc_part.kvno,
252 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
253 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
254 torture_assert_int_not_equal(test_context->tctx,
255 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
256 0, "Did not get a RODC number in the KVNO");
257 } else {
258 torture_assert_int_equal(test_context->tctx,
259 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
260 0, "Unexpecedly got a RODC number in the KVNO");
261 }
262 free_AS_REP(&test_context->as_rep);
263 }
264 torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");
265 free_AS_REQ(&test_context->as_req);
266 return true;
267 }
268
269 static bool torture_krb5_post_recv_self_trust_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
270 {
271 size_t used;
272 torture_assert_int_equal(test_context->tctx,
273 decode_TGS_REP(recv_buf->data, recv_buf->length, &test_context->tgs_rep, &used), 0,
274 "decode_TGS_REP failed");
275 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
276 torture_assert_int_equal(test_context->tctx,
277 test_context->tgs_rep.pvno, 5,
278 "Got wrong as_rep->pvno");
279 torture_assert_int_equal(test_context->tctx,
280 test_context->tgs_rep.ticket.tkt_vno, 5,
281 "Got wrong as_rep->ticket.tkt_vno");
282 torture_assert(test_context->tctx,
283 test_context->tgs_rep.ticket.enc_part.kvno,
284 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
285 torture_assert_str_equal(test_context->tctx,
286 test_context->tgs_req.req_body.realm,
287 test_context->tgs_rep.ticket.realm, "Mismatch in realm between request and ticket response");
288 torture_assert_int_equal(test_context->tctx,
289 test_context->tgs_req.req_body.sname->name_type,
290 test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response");
291 torture_assert_int_equal(test_context->tctx,
292 test_context->tgs_req.req_body.sname->name_type,
293 test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response");
294 if (torture_setting_bool(test_context->tctx, "expect_cached_at_rodc", false)) {
295 torture_assert_int_not_equal(test_context->tctx,
296 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
297 0, "Did not get a RODC number in the KVNO");
298 } else {
299 torture_assert_int_equal(test_context->tctx,
300 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
301 0, "Unexpecedly got a RODC number in the KVNO");
302 }
303 free_TGS_REP(&test_context->tgs_rep);
304 torture_assert(test_context->tctx, test_context->packet_count == 0, "too many packets");
305 test_context->packet_count = 0;
306 test_context->test_stage = TEST_TGS_REQ;
307 free_TGS_REQ(&test_context->tgs_req);
308 return true;
309 }
310
311 static bool torture_krb5_post_recv_tgs_req_test(struct torture_krb5_context *test_context, const krb5_data *recv_buf)
312 {
313 KRB_ERROR error;
314 size_t used;
315 if (decode_KRB_ERROR(recv_buf->data, recv_buf->length, &error, &used) == 0) {
316 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
317 torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno");
318 torture_assert_int_equal(test_context->tctx, error.error_code, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE,
319 "Got wrong error.error_code");
320 } else {
321 torture_assert_int_equal(test_context->tctx,
322 decode_TGS_REP(recv_buf->data, recv_buf->length, &test_context->tgs_rep, &used), 0,
323 "decode_TGS_REP failed");
324 torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
325 torture_assert_int_equal(test_context->tctx,
326 test_context->tgs_rep.pvno, 5,
327 "Got wrong as_rep->pvno");
328 torture_assert_int_equal(test_context->tctx,
329 test_context->tgs_rep.ticket.tkt_vno, 5,
330 "Got wrong as_rep->ticket.tkt_vno");
331 torture_assert(test_context->tctx,
332 test_context->tgs_rep.ticket.enc_part.kvno,
333 "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
334 torture_assert_str_equal(test_context->tctx,
335 test_context->tgs_rep.ticket.realm,
336 test_context->test_data->real_realm,
337 "Mismatch in realm between ticket response and expected upper case REALM");
338 torture_assert_int_equal(test_context->tctx,
339 test_context->tgs_req.req_body.sname->name_type,
340 test_context->tgs_rep.ticket.sname.name_type, "Mismatch in name_type between request and ticket response");
341 torture_assert_int_equal(test_context->tctx,
342 *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000,
343 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO");
344 free_TGS_REP(&test_context->tgs_rep);
345 }
346 torture_assert(test_context->tctx, test_context->packet_count < 2, "too many packets");
347 free_TGS_REQ(&test_context->tgs_req);
348 return true;
349 }
350
351 /*
352 * This function is set in torture_krb5_init_context_canon as krb5
353 * send_and_recv function. This allows us to override what server the
354 * test is aimed at, and to inspect the packets just before they are
355 * sent to the network, and before they are processed on the recv
356 * side.
357 *
358 * The torture_krb5_pre_send_test() and torture_krb5_post_recv_test()
359 * functions are implement the actual tests.
360 *
361 * When this asserts, the caller will get a spurious 'cannot contact
362 * any KDC' message.
363 *
364 */
365 static krb5_error_code smb_krb5_send_and_recv_func_canon_override(krb5_context context,
366 void *data, /* struct torture_krb5_context */
367 krb5_krbhst_info *hi,
368 time_t timeout,
369 const krb5_data *send_buf,
370 krb5_data *recv_buf)
371 {
372 krb5_error_code k5ret;
373 bool ok = false;
374 krb5_data modified_send_buf;
375 size_t used;
376
377 struct torture_krb5_context *test_context
378 = talloc_get_type_abort(data, struct torture_krb5_context);
379
380 if (test_context->test_stage == TEST_DONE) {
381 torture_warning(test_context->tctx, "Unexpected outgoing packet from krb5 libs");
382 return EINVAL;
383 }
384 k5ret = decode_AS_REQ(send_buf->data, send_buf->length, &test_context->as_req, &used);
385
386 if (k5ret == 0) {
387 test_context->test_stage = TEST_AS_REQ;
388 ok = torture_krb5_pre_send_as_req_test(test_context, send_buf, used, &modified_send_buf);
389 } else {
390 k5ret = decode_TGS_REQ(send_buf->data, send_buf->length, &test_context->tgs_req, &used);
391 if (k5ret == 0) {
392 if (test_context->test_stage == TEST_AS_REQ) {
393 test_context->packet_count = 0;
394 if (test_context->test_data->canonicalize == false
395 || test_context->test_data->enterprise
396 || (test_context->test_data->upper_realm && test_context->test_data->netbios_realm == false)) {
397 test_context->test_stage = TEST_TGS_REQ;
398 } else {
399 test_context->test_stage = TEST_SELF_TRUST_TGS_REQ;
400 }
401 }
402 if (test_context->test_stage == TEST_SELF_TRUST_TGS_REQ) {
403 ok = torture_krb5_pre_send_self_trust_tgs_req_test(test_context, send_buf, used, &modified_send_buf);
404 } else if (test_context->test_stage == TEST_TGS_REQ) {
405 ok = torture_krb5_pre_send_tgs_req_test(test_context, send_buf, used, &modified_send_buf);
406 } else if (test_context->test_stage == TEST_TGS_REQ_KRBTGT) {
407 ok = torture_krb5_pre_send_tgs_req_krbtgt_test(test_context, send_buf, used, &modified_send_buf);
408 }
409 } else {
410 torture_warning(test_context->tctx, "Failed to parse outgoing packet from krb5 libs");
411 }
412 }
413 if (ok == false) {
414 return EINVAL;
415 }
416
417 k5ret = smb_krb5_send_and_recv_func_forced(context, test_context->server,
418 hi, timeout, &modified_send_buf,
419 recv_buf);
420 if (k5ret != 0) {
421 return k5ret;
422 }
423
424 if (test_context->test_stage == TEST_AS_REQ) {
425 ok = torture_krb5_post_recv_as_req_test(test_context, recv_buf);
426 } else if (test_context->test_stage == TEST_SELF_TRUST_TGS_REQ) {
427 ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf);
428 } else if (test_context->test_stage == TEST_TGS_REQ) {
429 ok = torture_krb5_post_recv_tgs_req_test(test_context, recv_buf);
430 } else if (test_context->test_stage == TEST_TGS_REQ_KRBTGT) {
431 ok = torture_krb5_post_recv_self_trust_tgs_req_test(test_context, recv_buf);
432 }
433 if (ok == false) {
434 return EINVAL;
435 }
436
437 test_context->packet_count++;
438
439 return k5ret;
440 }
441
442 static int test_context_destructor(struct torture_krb5_context *test_context)
443 {
444 freeaddrinfo(test_context->server);
445 return 0;
446 }
447
448
449 static bool torture_krb5_init_context_canon(struct torture_context *tctx,
450 struct test_data *test_data,
451 struct smb_krb5_context **smb_krb5_context)
452 {
453 const char *host = torture_setting_string(tctx, "host", NULL);
454 krb5_error_code k5ret;
455 bool ok;
456
457 struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context);
458 torture_assert(tctx, test_context != NULL, "Failed to allocate");
459
460 test_context->test_data = test_data;
461 test_context->tctx = tctx;
462
463 k5ret = smb_krb5_init_context(tctx, tctx->lp_ctx, smb_krb5_context);
464 torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
465
466 ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST);
467 torture_assert(tctx, ok, "Failed to parse target server");
468
469 talloc_set_destructor(test_context, test_context_destructor);
470
471 set_sockaddr_port(test_context->server->ai_addr, 88);
472
473 k5ret = krb5_set_send_to_kdc_func((*smb_krb5_context)->krb5_context,
474 smb_krb5_send_and_recv_func_canon_override,
475 test_context);
476 torture_assert_int_equal(tctx, k5ret, 0, "krb5_set_send_to_kdc_func failed");
477 return true;
478 }
479
480
481 static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *tcase_data)
482 {
483 krb5_error_code k5ret;
484 krb5_get_init_creds_opt *krb_options = NULL;
485 struct test_data *test_data = talloc_get_type_abort(tcase_data, struct test_data);
486 char *username;
487 krb5_principal principal;
488 krb5_principal expected_principal;
489 char *principal_string;
490 int principal_flags;
491 char *expected_principal_string;
492 int expected_principal_flags;
493 char *got_principal_string;
494 char *assertion_message;
495 const char *password = cli_credentials_get_password(cmdline_credentials);
496 struct smb_krb5_context *smb_krb5_context;
497 bool ok;
498 krb5_creds my_creds;
499 krb5_ccache ccache;
500 krb5_auth_context auth_context;
501 char *cc_name;
502 krb5_data in_data, enc_ticket;
503
504 const char *upn = torture_setting_string(tctx, "krb5-upn", "");
505
506 /*
507 * If we have not passed a UPN on the command line,
508 * then skip the UPN tests.
509 */
510 if (test_data->upn && upn[0] == '\0') {
511 torture_skip(tctx, "This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run");
512 }
513
514 if (test_data->netbios_realm) {
515 test_data->realm = test_data->real_domain;
516 } else {
517 test_data->realm = test_data->real_realm;
518 }
519
520 if (test_data->upn) {
521 char *p;
522 test_data->username = talloc_strdup(test_data, upn);
523 p = strchr(test_data->username, '@');
524 if (p) {
525 *p = '\0';
526 p++;
527 }
528 /*
529 * Test the UPN behaviour carefully. We can
530 * test in two different modes, depending on
531 * what UPN has been set up for us.
532 *
533 * If the UPN is in our realm, then we do all the tests with this name also.
534 *
535 * If the UPN is not in our realm, then we
536 * expect the tests that replace the realm to
537 * fail (as it won't match)
538 */
539 if (strcasecmp(p, test_data->real_realm) != 0) {
540 test_data->other_upn_suffix = true;
541 } else {
542 test_data->other_upn_suffix = false;
543 }
544
545 /*
546 * This lets us test the combination of the UPN prefix
547 * with a valid domain, without adding even more
548 * combinations
549 */
550 if (test_data->netbios_realm == false) {
551 test_data->realm = p;
552 }
553 }
554
555 ok = torture_krb5_init_context_canon(tctx, test_data, &smb_krb5_context);
556 torture_assert(tctx, ok, "torture_krb5_init_context failed");
557
558 if (test_data->upper_realm) {
559 test_data->realm = strupper_talloc(test_data, test_data->realm);
560 } else {
561 test_data->realm = strlower_talloc(test_data, test_data->realm);
562 }
563 if (test_data->upper_username) {
564 username = strupper_talloc(test_data, test_data->username);
565 } else {
566 username = talloc_strdup(test_data, test_data->username);
567 }
568
569 principal_string = talloc_asprintf(test_data, "%s@%s", username, test_data->realm);
570
571 /*
572 * If we are set to canonicalize, we get back the fixed UPPER
573 * case realm, and the real username (ie matching LDAP
574 * samAccountName)
575 *
576 * Otherwise, if we are set to enterprise, we
577 * get back the whole principal as-sent
578 *
579 * Finally, if we are not set to canonicalize, we get back the
580 * fixed UPPER case realm, but the as-sent username
581 */
582 if (test_data->canonicalize) {
583 expected_principal_string = talloc_asprintf(test_data, "%s@%s", test_data->real_username, test_data->real_realm);
584 } else if (test_data->enterprise) {
585 expected_principal_string = principal_string;
586 } else {
587 expected_principal_string = talloc_asprintf(test_data, "%s@%s", username, test_data->real_realm);
588 }
589
590 if (test_data->enterprise) {
591 principal_flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE;
592 } else {
593 if (test_data->upn && test_data->other_upn_suffix) {
594 torture_skip(tctx, "UPN test for UPN with other UPN suffix only runs with enterprise principals");
595 }
596 principal_flags = 0;
597 }
598
599 if (test_data->canonicalize) {
600 expected_principal_flags = 0;
601 } else {
602 expected_principal_flags = principal_flags;
603 }
604
605 torture_assert_int_equal(tctx,
606 krb5_parse_name_flags(smb_krb5_context->krb5_context,
607 principal_string,
608 principal_flags,
609 &principal),
610 0, "krb5_parse_name_flags failed");
611 torture_assert_int_equal(tctx,
612 krb5_parse_name_flags(smb_krb5_context->krb5_context,
613 expected_principal_string,
614 expected_principal_flags,
615 &expected_principal),
616 0, "krb5_parse_name_flags failed");
617
618 /*
619 * Set the canonicalize flag if this test requires it
620 */
621 torture_assert_int_equal(tctx,
622 krb5_get_init_creds_opt_alloc(smb_krb5_context->krb5_context, &krb_options),
623 0, "krb5_get_init_creds_opt_alloc failed");
624
625 torture_assert_int_equal(tctx,
626 krb5_get_init_creds_opt_set_canonicalize(smb_krb5_context->krb5_context, krb_options, test_data->canonicalize),
627 0, "krb5_get_init_creds_opt_set_canonicalize failed");
628
629 torture_assert_int_equal(tctx,
630 krb5_get_init_creds_opt_set_win2k(smb_krb5_context->krb5_context, krb_options, test_data->win2k),
631 0, "krb5_get_init_creds_opt_set_win2k failed");
632
633 k5ret = krb5_get_init_creds_password(smb_krb5_context->krb5_context, &my_creds, principal,
634 password, NULL, NULL, 0,
635 NULL, krb_options);
636 krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
637
638 if (test_data->netbios_realm && test_data->upn) {
639 torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, "Got wrong error_code from krb5_get_init_creds_password");
640 /* We can't proceed with more checks */
641 return true;
642 } else {
643 assertion_message = talloc_asprintf(tctx,
644 "krb5_get_init_creds_password for %s failed: %s",
645 principal_string,
646 smb_get_krb5_error_message(smb_krb5_context->krb5_context, k5ret, tctx));
647 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
648 }
649
650 /*
651 * Assert that the reply was with the correct type of
652 * principal, depending on the flags we set
653 */
654 if (test_data->canonicalize == false && test_data->enterprise) {
655 torture_assert_int_equal(tctx,
656 krb5_principal_get_type(smb_krb5_context->krb5_context,
657 my_creds.client), KRB5_NT_ENTERPRISE_PRINCIPAL,
658 "smb_krb5_init_context gave incorrect client->name.name_type");
659 } else {
660 torture_assert_int_equal(tctx,
661 krb5_principal_get_type(smb_krb5_context->krb5_context,
662 my_creds.client), KRB5_NT_PRINCIPAL,
663 "smb_krb5_init_context gave incorrect client->name.name_type");
664 }
665
666 torture_assert_int_equal(tctx,
667 krb5_unparse_name(smb_krb5_context->krb5_context,
668 my_creds.client, &got_principal_string), 0,
669 "krb5_unparse_name failed");
670
671 assertion_message = talloc_asprintf(tctx,
672 "krb5_get_init_creds_password returned a different principal %s to what was expected %s",
673 got_principal_string, expected_principal_string);
674 krb5_free_unparsed_name(smb_krb5_context->krb5_context, got_principal_string);
675
676 torture_assert(tctx, krb5_principal_compare(smb_krb5_context->krb5_context,
677 my_creds.client, expected_principal),
678 assertion_message);
679
680
681 torture_assert_int_equal(tctx,
682 krb5_principal_get_type(smb_krb5_context->krb5_context,
683 my_creds.server), KRB5_NT_SRV_INST,
684 "smb_krb5_init_context gave incorrect server->name.name_type");
685
686 torture_assert_int_equal(tctx,
687 krb5_principal_get_num_comp(smb_krb5_context->krb5_context,
688 my_creds.server), 2,
689 "smb_krb5_init_context gave incorrect number of components in my_creds.server->name");
690
691 torture_assert_str_equal(tctx, krb5_principal_get_comp_string(smb_krb5_context->krb5_context,
692 my_creds.server, 0),
693 "krbtgt",
694 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0]");
695
696 if (test_data->canonicalize || test_data->enterprise) {
697 torture_assert_str_equal(tctx, krb5_principal_get_comp_string(smb_krb5_context->krb5_context,
698 my_creds.server, 1),
699 test_data->real_realm,
700
701 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
702 } else {
703 torture_assert_str_equal(tctx, krb5_principal_get_comp_string(smb_krb5_context->krb5_context,
704 my_creds.server, 1),
705 test_data->realm,
706
707 "smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1]");
708 }
709 torture_assert_str_equal(tctx, krb5_principal_get_realm(smb_krb5_context->krb5_context,
710 my_creds.server),
711 test_data->real_realm,
712 "smb_krb5_init_context gave incorrect my_creds.server->realm");
713
714 /* Store the result of the 'kinit' above into a memory ccache */
715 cc_name = talloc_asprintf(tctx, "MEMORY:%s", test_data->test_name);
716 torture_assert_int_equal(tctx, krb5_cc_resolve(smb_krb5_context->krb5_context, cc_name,
717 &ccache),
718 0, "krb5_cc_resolve failed");
719
720 torture_assert_int_equal(tctx, krb5_cc_initialize(smb_krb5_context->krb5_context,
721 ccache, my_creds.client),
722 0, "krb5_cc_initialize failed");
723
724 torture_assert_int_equal(tctx, krb5_cc_store_cred(smb_krb5_context->krb5_context,
725 ccache, &my_creds),
726 0, "krb5_cc_store_cred failed");
727
728 /* Prepare a TGS-REQ */
729 torture_assert_int_equal(tctx, krb5_auth_con_init(smb_krb5_context->krb5_context, &auth_context),
730 0, "krb5_auth_con_init failed");
731
732 /* Confirm we can not ask for our own name as a server */
733 in_data.length = 0;
734 k5ret = krb5_mk_req_exact(smb_krb5_context->krb5_context,
735 &auth_context,
736 0,
737 principal,
738 &in_data, ccache,
739 &enc_ticket);
740
741 assertion_message = talloc_asprintf(tctx,
742 "krb5_mk_req_exact for %s failed: %s",
743 principal_string,
744 smb_get_krb5_error_message(smb_krb5_context->krb5_context, k5ret, tctx));
745 if (torture_setting_bool(tctx, "expect_machine_account", false)) {
746 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
747 } else {
748 torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, assertion_message);
749 }
750
751 /*
752 * Ask for a ticket to the KDC krbtgt account itself. The
753 * value in my_creds.server varies (in the non-canonicalize
754 * case) per the AS-REQ tests above, so we cover the same
755 * variations
756 */
757 in_data.length = 0;
758 k5ret = krb5_mk_req_exact(smb_krb5_context->krb5_context,
759 &auth_context,
760 0,
761 my_creds.server,
762 &in_data, ccache,
763 &enc_ticket);
764
765 assertion_message = talloc_asprintf(tctx,
766 "krb5_mk_req_exact for %s failed: %s",
767 principal_string,
768 smb_get_krb5_error_message(smb_krb5_context->krb5_context, k5ret, tctx));
769 torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
770
771 krb5_free_principal(smb_krb5_context->krb5_context, principal);
772
773 torture_assert_int_equal(tctx, krb5_free_cred_contents(smb_krb5_context->krb5_context, &my_creds),
774 0, "krb5_free_cred_contents failed");
775
776 return true;
777 }
778
779 struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
780 {
781 unsigned int i;
782 struct torture_suite *suite = torture_suite_create(mem_ctx, "canon");
783 suite->description = talloc_strdup(suite, "Kerberos Canonicalisation tests");
784
785 for (i = 0; i < TEST_ALL; i++) {
786 char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s",
787 (i & TEST_CANONICALIZE) ? "canon" : "no-canon",
788 (i & TEST_ENTERPRISE) ? "enterprise" : "no-enterprise",
789 (i & TEST_UPPER_REALM) ? "uc-realm" : "lc-realm",
790 (i & TEST_UPPER_USERNAME) ? "uc-user" : "lc-user",
791 (i & TEST_NETBIOS_REALM) ? "netbios-realm" : "krb5-realm",
792 (i & TEST_WIN2K) ? "win2k" : "no-win2k",
793 (i & TEST_UPN) ? "upn" : "no-upn");
794
795 struct test_data *test_data = talloc_zero(suite, struct test_data);
796
797 test_data->test_name = name;
798 test_data->real_realm = strupper_talloc(test_data, cli_credentials_get_realm(cmdline_credentials));
799 test_data->real_domain = cli_credentials_get_domain(cmdline_credentials);
800 test_data->username = cli_credentials_get_username(cmdline_credentials);
801 test_data->real_username = cli_credentials_get_username(cmdline_credentials);
802 test_data->canonicalize = (i & TEST_CANONICALIZE) != 0;
803 test_data->enterprise = (i & TEST_ENTERPRISE) != 0;
804 test_data->upper_realm = (i & TEST_UPPER_REALM) != 0;
805 test_data->upper_username = (i & TEST_UPPER_USERNAME) != 0;
806 test_data->netbios_realm = (i & TEST_NETBIOS_REALM) != 0;
807 test_data->win2k = (i & TEST_WIN2K) != 0;
808 test_data->upn = (i & TEST_UPN) != 0;
809 torture_suite_add_simple_tcase_const(suite, name, torture_krb5_as_req_canon,
810 test_data);
811
812 }
813 return suite;
814 }
Samba GIT mirror